Adam Shostack & friends – Page 2 – Security, privacy, economics and unrelated topics since 2005

Aretha Franklin

I remember an interview I read with Ahmet Ertegün, the founder of Atlantic Records. He was talking about Aretha, and he said that one of his producers came in, saying that she wasn’t measuring up. He asked the producer what was up, and was told that they were trying to get her to sing like the other successful soul singers, and it wasn’t working out.

Ertegün told the producer that he saw the problem, sitting right there. The fellow didn’t want to let Aretha do what she knew, which was gospel.

There’s a lot of wisdom in that short story, from not wanting to impose our vision of what people should be, to seeing the root of a problem.

In the meanwhile, I just hope that she pulls through. She’s given a lot of joy to a lot of people, and she deserves a long, happy retirement.

Threat Modeling in 2018: Attacks, Impacts and Other Updates

The slides from my Blackhat talk, “Threat Modeling in 2018: Attacks, Impacts and Other Updates” are now available either as a PDF or online viewer.

CSO on AppSec at the Speed of Devops

“20 Ways to Make AppSec Move at the Speed of DevOps” is in CSO. It’s a good collection, and I’m quoted.

CyberSecurity Hall of Fame

Congratulations to the 2016 winners!

Dan Geer, Chief Information Security Officer at In-Q-Tel;
Lance J. Hoffman, Distinguished Research Professor of Computer Science, The George Washington University;
Horst Feistel, Cryptographer and Inventor of the United States Data Encryption Standard (DES);
Paul Karger, High Assurance Architect, Prolific Writer and Creative Inventor;
Butler Lampson, Adjunct Professor at MIT, Turing Award and Draper Prize winner;
Leonard J. LaPadula, Co-author of the Bell-LaPadula Model of Computer Security; and
William Hugh Murray, Pioneer, Author and Founder of the Colloquium for Information System Security Education (CISSE)

In a world where influence seems to be measured in likes, re-tweets and shares, the work by these 7 fine people really stands the test of time. For some reason this showed up on Linkedin as “Butler was mentioned in the news,” even though it’s a few years old. Again, test of time.

Summer Reading List

I’m honored to have my threat modeling book on this short list with Daniel Kahneman, Tony Hsieh, Nicole Forsgren, and Tom DeMarco: “Summer Reading List: Top Recommendations from our Engineers.”

CyberSecurity 2.0 Humble Bundle

Cybersecurity 2.0 is a new promo from Humble Bundle. Nearly $800 worth of books, including my Threat Modeling, Schneier’s Secrets and Lies, and a whole lot more!

Threat Modeling Thursday: 2018

Since I wrote my book on the topic, people have been asking me “what’s new in threat modeling?” My Blackhat talk is my answer to that question, and it’s been taking up the time that I’d otherwise be devoting to the series.

As I’ve been practicing my talk*, I discovered that there’s more new than I thought, and I may not be able to fit in everything I want to talk about in 50 minutes. But it’s coming together nicely.

The current core outline is:

What are we working on
- The fast moving world of cyber
- The agile world
- Models are scary
What can go wrong? Threats evolve!
- STRIDE
- Machine Learning
- Conflict

And of course, because it’s 2018, there’s cat videos and emoji to augment logic. Yeah, that’s the word. Augment. 🤷‍♂️

Wednesday, August 8 at 2:40 PM.

* Oh, and note to anyone speaking anywhere, and especially large events like Blackhat — as the speaker resources say: practice, practice, practice.

Half the US population will live in 8 states

That’s the subject of a thought-provoking Washington Post article, “In about 20 years, half the population will live in eight states,” and 70% of Americans will live in 15 states. “Meaning 30 percent will choose 70 senators. And the 30% will be older, whiter, more rural, more male than the 70 percent.” Of course, as the census shows the population shifting, the makeup of the House will also change dramatically.

Maybe you think that’s good, maybe you think that’s bad. It certainly leads to interesting political times. Maybe even a bit of chaos, emerging.

Hey, this movie looks pretty interesting!

Keeping the Internet Secure

Today, a global coalition led by civil society and technology experts sent a letter asking the government of Australia to abandon plans to introduce legislation that would undermine strong encryption. The letter calls on government officials to become proponents of digital security and work collaboratively to help law enforcement adapt to the digital era.

In July 2017, Prime Minister Malcolm Turnbull held a press conference to announce that the government was drafting legislation that would compel device manufacturers to assist law enforcement in accessing encrypted information. In May of this year, Minister for Law Enforcement and Cybersecurity Angus Taylor restated the government’s priority to introduce legislation and traveled to the United States to speak with companies based there.

Today’s letter signed by 76 organizations, companies, and individuals, asks leaders in the government “not to pursue legislation that would undermine tools, policies, and technologies critical to protecting individual rights, safeguarding the economy, and providing security both in Australia and around the world.” (Read the full announcement here)

I’m pleased to have joined in this effort by Accessnow, and you can sign, too, at https://secureaustralia.org.au. Especially if you are Australian, I encourage you to do so.